mirror of
https://github.com/myronblair/novacpx
synced 2026-06-30 17:50:41 -05:00
Add sudo prefix for firewall cmds; sudoers rule in install.sh
www-data needs root to run ufw and fail2ban-client. Added sudo prefix in fw_exec() and a /etc/sudoers.d/novacpx-firewall file (NOPASSWD for specific firewall commands only). install.sh now creates this file on fresh installs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -11,6 +11,8 @@ $db = DB::getInstance();
|
||||
// ── Helpers ────────────────────────────────────────────────────────────────
|
||||
|
||||
function fw_exec(string $cmd): string {
|
||||
// Prefix ufw and fail2ban-client with sudo (www-data has NOPASSWD via sudoers.d/novacpx-firewall)
|
||||
$cmd = preg_replace('/^(ufw|fail2ban-client|systemctl (restart|reload|start|stop) fail2ban)\b/', 'sudo $1', $cmd);
|
||||
$out = shell_exec($cmd . ' 2>&1');
|
||||
return trim($out ?: '');
|
||||
}
|
||||
@@ -310,7 +312,7 @@ switch ($action) {
|
||||
|
||||
// ── Fail2Ban: restart ─────────────────────────────────────────────────
|
||||
case 'f2b-restart':
|
||||
$out = fw_exec('systemctl restart fail2ban 2>&1');
|
||||
$out = fw_exec('sudo systemctl restart fail2ban 2>&1');
|
||||
audit('firewall.f2b-restart', 'fail2ban');
|
||||
Response::success(['output' => $out], 'Fail2Ban restarted');
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user